Attacking encrypted bitmaps

2008-10-07

in Geek stuff, Internet matters, Photography, Security

Just because your photos are encrypted, it doesn’t seem that you can count on them to be totally unreadable to someone without the key. The attack only seems to work against bitmap images, so those secret JPGs, PNGs, and GIFs should be safe for now. This is because most types of files contain significantly more entropy than bitmaps. That is to say, there is a lot more redundant information in a BMP file than there is in something compressed. Even in the case of the vulnerable images, the technique can only produce “the outline of a high-contrast image.”

Once again, it proves the statement that ‘you can’t hide secrets from the future with math.’ Cryptographic attacks – and the resources available to attackers – will only keep increasing over time.

Report a typo or inaccuracy

{ 3 comments… read them below or add one }

Anon October 7, 2008 at 8:59 pm

Those rich in home-made porn and poor in compressed image file formats shall surely suffer most.

R.K. October 8, 2008 at 3:42 pm

Encrypting a bitmap is a bit like encrypting this kind of text:

“The password is coconut. The password is coconut. The password is coconut. The password is coconut. The password is coconut. The password is coconut. The password is coconut. The password is coconut. My name is Jim. My name is Jim. My name is Jim. My name is Jim. My name is Jim. The password is coconut. The password is coconut.The password is coconut. The password is coconut.”

The repetitiveness makes it likely that any weaknesses in the encryption system will be more easily discovered.

. October 9, 2008 at 3:13 pm

“New Attack” Against Encrypted Images
By Bruce Schneier

In a blatant attempt to get some PR:

In a new paper, Bernd Roellgen of Munich-based encryption outfit PMC Ciphers, explains how it is possible to compare an encrypted backup image file made with almost any commercial encryption program or algorithm to an original that has subsequently changed so that small but telling quantities of data ‘leaks’.

Here’s the paper. Turns out that if you use a block cipher in Electronic Codebook Mode, identical plaintexts encrypt to identical ciphertexts.

Yeah, we already knew that.

And -1 point for a security company requiring the use of Javascript, and not failing gracefully for a browser that doesn’t have it enabled.

And — ahem — what is it with that photograph in the paper? Couldn’t the researchers have found something a little less adolescent?

Leave a Comment

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Previous post:

Next post: